Bug ID 1213721
Summary [SELinux] <topic>
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter jbohac@suse.com
QA Contact security-team@suse.de
Target Milestone ---
Found By ---
Blocker --- 

The new versions of kdump (since v1.9.0) save the initrd in
/var/lib/kdump/initrd and maintain a symlink to the kernel the initrd has been
build for in /var/lib/kdump/kernel.

E.g.:
        dhcp198:~ # ls -lZ /var/lib/kdump/
        total 35476
        -rw-------. 1 root root system_u:object_r:kdump_var_lib_t:s0 36322984
Jul 27 14:28 initrd
        lrwxrwxrwx. 1 root root system_u:object_r:kdump_var_lib_t:s0       40
Jul 27 14:28 kernel -> /usr/lib/modules/6.3.9-5-default/vmlinuz

SELinux blocks the following of the symlink during kdump service start.

audit2allow suggests:
        allow kdump_t kdump_var_lib_t:lnk_file read;

To me (a comlete SELinux noob) this makes sense and indeed creating and loading
a module with
        audit2allow -M kdump-fix < /var/log/audit/audit.log 
        semodule -i kdump-fix.pp
fixes the problem.


Operating System: openSUSE MicroOS

SELinux status, mode and policy name: <TODO>
        SELinux status:                 enabled
        SELinuxfs mount:                /sys/fs/selinux
        SELinux root directory:         /etc/selinux
        Loaded policy name:             targeted
        Current mode:                   enforcing
        Mode from config file:          enforcing
        Policy MLS status:              enabled
        Policy deny_unknown status:     allowed
        Memory protection checking:     actual (secure)
        Max kernel policy version:      33

SELinux policy version and repository: <TODO>
        dhcp198:~ # rpm -qa|grep selinux-pol
        selinux-policy-20230622-2.1.noarch
        selinux-policy-targeted-20230622-2.1.noarch

The software (incl. version) that is affected by the SELinux issue and the
error message: kdump
SELinux Audit log: 
        dhcp198:~ # ausearch -ts today -m avc
        ----
        time->Thu Jul 27 14:26:15 2023
        type=PROCTITLE msg=audit(1690467975.028:134):
proctitle=2F7362696E2F6B65786563002D70002F7661722F6C69622F6B64756D702F6B65726E656C002D2D617070656E643D2072642E74696D656F75743D36302072642E72657472793D34352071756965742073797374656D642E73686F775F7374617475733D79657320636F6E736F6C653D74747953302C31313532303020636F6E73
        type=SYSCALL msg=audit(1690467975.028:134): arch=c000003e syscall=257
success=no exit=-13 a0=ffffff9c a1=7ffd0d633da7 a2=0 a3=0 items=0 ppid=4833
pid=4834 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec"
subj=system_u:system_r:kdump_t:s0 key=(null)
        type=AVC msg=audit(1690467975.028:134): avc:  denied  { read } for 
pid=4834 comm="kexec" name="kernel" dev="sda3" ino=48130
scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:kdump_var_lib_t:s0 tclass=lnk_file permissive=0
        ----
        time->Thu Jul 27 14:26:15 2023
        type=PROCTITLE msg=audit(1690467975.032:135):
proctitle=2F7362696E2F6B65786563002D70002F7661722F6C69622F6B64756D702F6B65726E656C002D2D617070656E643D2072642E74696D656F75743D36302072642E72657472793D34352071756965742073797374656D642E73686F775F7374617475733D79657320636F6E736F6C653D74747953302C31313532303020636F6E73
        type=SYSCALL msg=audit(1690467975.032:135): arch=c000003e syscall=257
success=no exit=-13 a0=ffffff9c a1=7ffc2c117daa a2=0 a3=0 items=0 ppid=4835
pid=4836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec"
subj=system_u:system_r:kdump_t:s0 key=(null)
        type=AVC msg=audit(1690467975.032:135): avc:  denied  { read } for 
pid=4836 comm="kexec" name="kernel" dev="sda3" ino=48130
scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:kdump_var_lib_t:s0 tclass=lnk_file permissive=0
        ----
        time->Thu Jul 27 14:26:15 2023
        type=PROCTITLE msg=audit(1690467975.032:136):
proctitle=2F7362696E2F6B65786563002D70002F7661722F6C69622F6B64756D702F6B65726E656C002D2D617070656E643D2072642E74696D656F75743D36302072642E72657472793D34352071756965742073797374656D642E73686F775F7374617475733D79657320636F6E736F6C653D74747953302C31313532303020636F6E73
        type=SYSCALL msg=audit(1690467975.032:136): arch=c000003e syscall=257
success=no exit=-13 a0=ffffff9c a1=7ffc2c117daa a2=0 a3=0 items=0 ppid=4835
pid=4836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec"
subj=system_u:system_r:kdump_t:s0 key=(null)
        type=AVC msg=audit(1690467975.032:136): avc:  denied  { read } for 
pid=4836 comm="kexec" name="kernel" dev="sda3" ino=48130
scontext=system_u:system_r:kdump_t:s0
tcontext=system_u:object_r:kdump_var_lib_t:s0 tclass=lnk_file permissive=0

You are receiving this mail because: